Trejkaz created COLLECTIONS-538:
-----------------------------------
Summary: ExtendedProperties causes AccessControlException when
framework is called from a script
Key: COLLECTIONS-538
URL: https://issues.apache.org/jira/browse/COLLECTIONS-538
Project: Commons Collections
Issue Type: Bug
Components: Collection
Affects Versions: 3.2.1
Environment: Java security manager enabled
Reporter: Trejkaz
We're using Velocity 1.7, which depends upon Commons Collections 3.x series'
ExtendedProperties class.
ExtendedProperties has these constructors where it looks up the file separator
using the least convenient means possible:
{code}
public ExtendedProperties() {
this.fileSeparator = System.getProperty("file.separator");
// ...
}
{code}
For us, this is all being called from untrusted code, so this fails with
AccessControlException.
I think that instead of using the system property here, it is customary to use
the File.separator constant.
If you absolutely _must_ use System.getProperty() to fetch this value, it
should at least be done from a doPrivileged() block.
Also I had a quick check of Commons Collections 4 to see if this issue had been
fixed, but couldn't immediately see what happened to this class. If it did turn
out to have been fixed in v4, maybe Velocity could be encouraged to update to
v4, but I haven't seen any updates from them in 4 years, so it's probably not a
good sign.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
